Heap buffer overflow in version 2.8.0.0 with abstract Linux sockets #382

remyoudompheng · 2019-02-18T23:26:57Z

Hello,

There is a heap overflow in pokeSockAddr that was fixed in release 3.0.0.0 when using Linux abstract Unix sockets. As far as I know it is present in at least all versions from 2.6.3.3 to 2.8.0.0.

The following program reproduces a segfault with ghc 8.6.3 when compiled with the threaded runtime

import Network.Socket
import Control.Monad (forM)

main :: IO ()
main = do
    forM [1..100] $ \n -> do
        putStrLn (show n ++ " characters")
        sock <- socket AF_UNIX Stream defaultProtocol
        bind sock (SockAddrUnix ("\0" ++ (replicate n 't')))
        close sock
    return ()

with the following output:

$ ghc -threaded -dynamic -package network test.hs
$ ./test
...
86 characters
zsh: segmentation fault (core dumped)  ./test

Since many systems are still using network 2.8.0.0 (like the Stackage distribution) I would like to know whether a 2.8.0.1 version could be released.

The fix would be to have pokeSockAddr _ sa@(SockAddrUnix _) always use

zeroMemory p $ fromIntegral $ sizeOfSockAddr sa

like it does in the 3.x version.

The text was updated successfully, but these errors were encountered:

eborden · 2019-02-19T16:16:10Z

@remyoudompheng I would gladly accept a PR for 2.8.0.1.

There are two cases where pokeSockAddr can write past the end of the sockaddr_un structure and corrupt the heap: - when processing a very large Unix socket path (more than 108 bytes) - when processing the address of a Linux abstract Unix socket, where (2 + length path) bytes are allocated but sizeof(sockadr_un) are written.

remyoudompheng · 2019-02-19T20:57:30Z

For completeness I included in the PR a variant of commit c8042c7 to check lengths of ordinary Unix socket addresses.

You can obtain consistent crashes with a program like

import Network.Socket
import Control.Monad (forM)
import Control.Exception
import System.Directory

main :: IO ()
main = do
    forM [200..1000] $ \n -> do
        putStrLn (show n ++ " characters")
        sock <- socket AF_UNIX Stream defaultProtocol
        do {
            bind sock (SockAddrUnix (replicate n 't' :: String));
            removeFile (replicate n 't' :: FilePath);
        } `catch` (print :: SomeException -> IO ())
        close sock
    return ()

In this case it is probably easier to obtain more arbitrary memory writes.

There are two cases where pokeSockAddr can write past the end of the sockaddr_un structure and corrupt the heap: - when processing a very large Unix socket path - when processing the address of a Linux abstract Unix socket, where (2 + length path) bytes are allocated but sizeof(sockadr_un) are written. The fix is backported from version 3.0.0.0.

kazu-yamamoto · 2019-04-24T23:57:32Z

#400 fixes this.

remyoudompheng pushed a commit to remyoudompheng/network that referenced this issue Feb 19, 2019

Avoid out of bounds write in pokeSockAddr (haskell#382)

7950030

remyoudompheng pushed a commit to remyoudompheng/network that referenced this issue Feb 19, 2019

Avoid out of bounds write in pokeSockAddr (haskell#382)

6127419

kazu-yamamoto mentioned this issue Apr 23, 2019

Fixing unix socket on 2.8 #400

Merged

kazu-yamamoto closed this as completed Apr 24, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Heap buffer overflow in version 2.8.0.0 with abstract Linux sockets #382

Heap buffer overflow in version 2.8.0.0 with abstract Linux sockets #382

remyoudompheng commented Feb 18, 2019

eborden commented Feb 19, 2019

remyoudompheng commented Feb 19, 2019

kazu-yamamoto commented Apr 24, 2019

Heap buffer overflow in version 2.8.0.0 with abstract Linux sockets #382

Heap buffer overflow in version 2.8.0.0 with abstract Linux sockets #382

Comments

remyoudompheng commented Feb 18, 2019

eborden commented Feb 19, 2019

remyoudompheng commented Feb 19, 2019

kazu-yamamoto commented Apr 24, 2019